Fifth Circuit court says that spoofing for mystery shopping is OK, for example.

Oh, Caller ID. You make our lives easier by telling us when our friends and family are calling. And you mystify us when a number like 111-1111 shows up on our phones. We're getting really annoyed when someone spoofs a number that isn’t real.

The feds (and some states) have taken notice, too. Back in 2007, Congress first proposed a bill that would disallow such fakery. Three years later it passed, and we’ve all been happier since the Truth in Caller ID Act (TCIA) came into force.

That is, unless you’re a company that sells the “SpoofCard” (we’re guessing you can figure out what that does), and/or a company that uses such trickery as a way for mystery shoppers to evaluate customer service.

The case dates back to 2010, when Mississippi passed a state law similar to (but stronger than) the federal spoofing bill. It was called the “Caller ID Anti-Spoofing Act,” or ASA.

“ASA is more restrictive than TCIA,” the Fifth Circuit wrote. “On the one hand, spoofing done with ‘intent to defraud, cause harm, or wrongfully obtain anything of value’ (harmful spoofing), in violation of TCIA, is also in violation of ASA. On the other hand, spoofing done without such intent, but ‘with the intent to deceive... or mislead the recipient of the call’ (non-harmful spoofing), violates only ASA.”

Two out-of-state companies, Teltech Systems (the makers of SpoofCard) and Wonderland Rentals (the mystery shopper folks) challenged the state law, saying it conflicted with the federal law and also violated the First Amendment and the Commerce Clause in the constitution.

A federal judge ruled in favor of the two out-of-state plaintiffs. On Monday, a federal appeals court agreed—albeit for different reasons. The appeals court drew a clear line between “harmful” and “non-harmful” spoofing—essentially affirming the right to non-harmful spoofing despite what any state law says.

“In the light of [TCIA]’s carefully drafted language and legislative history, and in spite of the presumption against preemption that attaches to a State’s exercise of its police power, there is an inherent federal objective in TCIA to protect non-harmful spoofing,” the Fifth Circuit concluded. “ASA’s proscription of non-harmful spoofing—spoofing done without ‘intent to defraud, cause harm, or wrongfully obtain anything of value’—frustrates this federal objective and is, therefore, conflict-preempted.”

Promoted Comments

So does this open up the door for debt collectors to start pretending they are someone else, or is that still covered in debt collection laws?

The Fair Debt Collection Practices Act still requires debt collectors to identify themselves as such and preface that their actions are to try and collect a debt and any information provided may be used for that purpose.

Spoofing as part of trying to convince someone that you aren't a debt collector when you are would be pretty blatantly in violation of the provision against spoofing w/the intent to "wrongfully obtain anything of value," since the only way for a collector to "rightfully" obtain that money is by explicitly identifying themselves.

Hiding your identity to collect on a debt is pretty much the dictionary definition of "defraud" ("to illegally obtain money by deception")

So does this open up the door for debt collectors to start pretending they are someone else, or is that still covered in debt collection laws?

I believe they would not be prohibited from doing so by the TICA as long as it was conducted without ‘intent to defraud, cause harm, or wrongfully obtain anything of value’.

The ruling shouldn't change any existing restrictions on debt collectors, of which there are many. It doesn't make anything legal, it just means that if you couldn't slam them for caller ID spoofing before, you can't use TICA to do it now.

So does this open up the door for debt collectors to start pretending they are someone else, or is that still covered in debt collection laws?

The Fair Debt Collection Practices Act still requires debt collectors to identify themselves as such and preface that their actions are to try and collect a debt and any information provided may be used for that purpose.

Spoofing as part of trying to convince someone that you aren't a debt collector when you are would be pretty blatantly in violation of the provision against spoofing w/the intent to "wrongfully obtain anything of value," since the only way for a collector to "rightfully" obtain that money is by explicitly identifying themselves.

Hiding your identity to collect on a debt is pretty much the dictionary definition of "defraud" ("to illegally obtain money by deception")

this part is what bothers me most. it's obviously worth something to the people going to great lengths to hide their identity, or they wouldn't hide. they know that if they don't hide their identity, people won't answer their calls. so that should really tell you something.

this part is what bothers me most. it's obviously worth something to the people going to great lengths to hide their identity, or they wouldn't hide. they know that if they don't hide their identity, people won't answer their calls. so that should really tell you something.

I can't think of a lot of consumer-friendly reasons to spoof your caller ID. However, the one that comes to mind is one that our firm would take advantage of if we could. We have a primary phone number that's advertised and promoted, and we pay extra for an "easy to remember" number. I would like to be able to have that number show in the caller ID, rather than the actual number of the line my call goes out on. But I don't view that as "spoofing," merely as another way to promote a phone number we're already promoting. Our telco won't allow all the lines to show the caller ID of the primary number, although they easily could, because they believe this law forbids it.

this part is what bothers me most. it's obviously worth something to the people going to great lengths to hide their identity, or they wouldn't hide. they know that if they don't hide their identity, people won't answer their calls. so that should really tell you something.

I suspect a lot of upcoming cases will hinge on nitpicking those words.

This seems reasonable. Our voicemail system can make outbound calls to peoples cell phones if they have that configured, a "Find me" feature. The phone system uses the original inbound callerID as the data for the outbound call, so the call looks like it's coming from the original party and not our voicemail system. People like it.

there is an inherent federal objective in TCIA to protect non-harmful spoofing,” the Fifth Circuit concluded. “ASA’s proscription of non-harmful spoofing—spoofing done without ‘intent to defraud, cause harm, or wrongfully obtain anything of value’

My time is of value. If you are spoofing a phone number so that I will pick up instead of ignoring you, you are trying to wrongfully obtain something of value.

(I understand why there would be exceptions for and protection of efforts to hide the identity of mystery shoppers and other such services that a company has actually paid for and wants to have its call centers in the dark.)

So does this open up the door for debt collectors to start pretending they are someone else, or is that still covered in debt collection laws?

The Fair Debt Collection Practices Act still requires debt collectors to identify themselves as such and preface that their actions are to try and collect a debt and any information provided may be used for that purpose.

Spoofing as part of trying to convince someone that you aren't a debt collector when you are would be pretty blatantly in violation of the provision against spoofing w/the intent to "wrongfully obtain anything of value," since the only way for a collector to "rightfully" obtain that money is by explicitly identifying themselves.

Hiding your identity to collect on a debt is pretty much the dictionary definition of "defraud" ("to illegally obtain money by deception")

This is basically what I was trying to get at, except I needed someone with more knowledge about collection law to fill in the specifics for me. Because the Fair Debt Collection Practices Act requires collectors to identify themselves as such, spoofing their identity would trigger the TICA's "wrongfully" clause. That's what I meant when I said it doesn't really make anything legal that was previously illegal (with the narrow exception of the over-broad Mississippi ASA).

t_newt wrote:

I can see the judge's intent (a company wanting to hire mystery shoppers to test out its customer service), but I don't think he's thinking of the consequences.

He's just opened up a loophole in the law, that every crook, fraud, stalker, and lawyer is going to take advantage of.

And does the law say anything about exceptions to spoofing? If not, then who does this judge think he is rewriting laws passed by Congress?

I'm not so sure. The minute you do anything crook-ish or fraud-ish you hit the "defraud" and "wrongfully" clauses. Stalkers (probably) hit "harm".

Without having read the decision in detail, the judge "thinks" he's upholding the First Amendment & commerce clauses of the constitution. Neither federal nor state legislatures get to run roughshod over that.

And what happens when the likes of Australia pretend to be Royals ring a hospital asking about a family member manage to cause a suicide?

Ignoring jurisdiction issues (Australia/England are not the USA), it'd almost certainly be covered under the first amendment. Just like almost every protected prank/satire phone call made on every radio show ever.

Only possible ways I could see you getting tripped up would be if you intended to cause harm (rather than to entertain, as the DJs would argue) or if you fell afoul of some medical privacy laws. None of that has to do with caller ID.

I can't think of a lot of consumer-friendly reasons to spoof your caller ID. However, the one that comes to mind is one that our firm would take advantage of if we could. We have a primary phone number that's advertised and promoted, and we pay extra for an "easy to remember" number. I would like to be able to have that number show in the caller ID, rather than the actual number of the line my call goes out on. But I don't view that as "spoofing," merely as another way to promote a phone number we're already promoting. Our telco won't allow all the lines to show the caller ID of the primary number, although they easily could, because they believe this law forbids it.

In Atlanta (AT&T) you absolutely can have outgoing calls show your main number; I helped set one up that way. In that case, the customer had a PRI (Primary Rate Interface, AKA T-1, but really 23B+D ISDN) and the customer equipment sent the caller ID. My (layman's) understanding of the law is that one has to send as caller ID a number that one controls and that could, at least theoretically, be used to call one back.

If someone is already breaking the law, why would they care about spoofing caller ID? It would be like someone in a vehicle plowing into a kindergarten playground, killing all the kids, and also being cited for a taillight being out. If someone is already running a scam, caller ID is the last thing they care about. The only way to stop caller ID is to hold bulk outbound dialing services liable for the calls their customers place, and make it more painful to take shady money from scammers. But do we want the government placing restrictions on our communications like that?

Waiting for VoIP to take off where I can white list friends, forward unknown to voice mail, and black-list others, all while using certificates.

At least some of that is sorta-kinda possible with Google Voice. It supports screening callers - it'll still ring you, but Google's robot voice will say "Call from (audio of whatever the caller said their name was)" and give you an option to send directly to voicemail." It supports blocked callers, ring scheduling, and other goodies like voicemail transcription. It does VoIP from your computer. The Google app doesn't do VoIP from your smartphone directly, but there are companion apps that make this possible (I use GrooVe IP).

Not sure what you mean by using certificates.

So maybe not quite as mature or complete as you'd like, but a damn sight better than anything I've seen Verizon or AT&T offering at the consumer level. Oh, and it's free*.

Exception being international calls, but that shouldn't be a surprise.

This seems reasonable. Our voicemail system can make outbound calls to peoples cell phones if they have that configured, a "Find me" feature. The phone system uses the original inbound callerID as the data for the outbound call, so the call looks like it's coming from the original party and not our voicemail system. People like it.

My $.02: That's a relay, not a spoof.

To me, the important part of caller ID is ... what it says - that it identifies the caller. If I can call the number that shows up on caller ID and get the person (or at least the business) that called me... it's all good.

People who are hired to test the customer service of various (mostly retail) companies.

You are given an assignment to call, visit, or whatever a specified company location. You detail your experience with times, names, and what is said, and write a report that goes to that company.

The reports are used to grade each store based on how they followed the dictated customer experience requirements. The last retail place I worked had fireable conditions if you didn't follow certain parts of the script exactly.

this part is what bothers me most. it's obviously worth something to the people going to great lengths to hide their identity, or they wouldn't hide. they know that if they don't hide their identity, people won't answer their calls. so that should really tell you something.

I can't think of a lot of consumer-friendly reasons to spoof your caller ID. However, the one that comes to mind is one that our firm would take advantage of if we could. We have a primary phone number that's advertised and promoted, and we pay extra for an "easy to remember" number. I would like to be able to have that number show in the caller ID, rather than the actual number of the line my call goes out on. But I don't view that as "spoofing," merely as another way to promote a phone number we're already promoting. Our telco won't allow all the lines to show the caller ID of the primary number, although they easily could, because they believe this law forbids it.

Interesting... If you had your own switch you could request from your carrier to send name and calling number (which isn't ANI in this case).

this part is what bothers me most. it's obviously worth something to the people going to great lengths to hide their identity, or they wouldn't hide. they know that if they don't hide their identity, people won't answer their calls. so that should really tell you something.

I can't think of a lot of consumer-friendly reasons to spoof your caller ID. However, the one that comes to mind is one that our firm would take advantage of if we could. We have a primary phone number that's advertised and promoted, and we pay extra for an "easy to remember" number. I would like to be able to have that number show in the caller ID, rather than the actual number of the line my call goes out on. But I don't view that as "spoofing," merely as another way to promote a phone number we're already promoting. Our telco won't allow all the lines to show the caller ID of the primary number, although they easily could, because they believe this law forbids it.

Interesting... If you had your own switch you could request from your carrier to send name and calling number (which isn't ANI in this case).

I worked at a place that had multiple voice T-1s, and all outbound calls went out on one number. It's trivial to do if you have your own PBX. Since the telco is balking, kick it up until you get satisfaction. It's not even spoofing, it's call routing more than anything else.

Seems to me... If you block your caller I'd, then they don't know who is calling, and have the option to take the call or not. Wouldn't that work for the mystery shopper deal? Sending a spoof Id is simply lying with the intent to deceive.

Caller ID spoofing is also useful in callcenter environments where you might have one or more phone systems in front of the agent and you don't want the agent's outbound number being the one that shows up if they need to make an outbound call to a customer.

I worked on an outsourced Help Desk phone system like this, where we didn't want the customers calling the call center back directly if they were to get the caller ID number as the call recording and other functionality was handled by the inbound phone system. We did end up spoofing in the "normal" inbound number of the phone system to get around this.

I'm still a believer that if it can be used legitimately, 99 times out of a 100, it should be legal. Tired of finding things I want to do be illegal because somebody out there doesn't like it.

The problem is they can just keep calling you with a different number every 15 minutes until you finally pick it up out of desperation. Since the number keeps changing you can't block it and it would probably be hard to prove it was the same person/place making all the calls.

Seems to me... If you block your caller I'd, then they don't know who is calling, and have the option to take the call or not. Wouldn't that work for the mystery shopper deal? Sending a spoof Id is simply lying with the intent to deceive.

I'm fairly sure it wouldn't take long before it got out that "Private Caller" "Unavailable" or whatever message came up instead of a number meant the boss was checking up on you, which defeats the purpose of mystery shoppers.

Seems to me... If you block your caller I'd, then they don't know who is calling, and have the option to take the call or not. Wouldn't that work for the mystery shopper deal? Sending a spoof Id is simply lying with the intent to deceive.

I'm fairly sure it wouldn't take long before it got out that "Private Caller" "Unavailable" or whatever message came up instead of a number meant the boss was checking up on you, which defeats the purpose of mystery shoppers.

At every retail job i've had where they use secret shoppers, there is no caller id at all unless it's an internal call from another department. You just know which line is ringing if it's an outside call.

Plus, plenty of real customers call in with questions but block their caller id by default. And not answering the customer's call (esp when it's a secret shopper) can be a disciplinary action.

That said, i have been that secret shopper when i worked at autozone. Management had to call other stores (usually out of our normal area so they wouldnt recognize our voice) to do the test. But we didnt do anything to mask caller id either. We called using the store phone. So if by some chance the receiving store had caller id, they'd see another autozone calling them. But honestly, in a busy retail store, who has time to look at caller id anyway?? We just want the damn phone to stop ringing so we can handle the customers right in front of us.

If someone is already breaking the law, why would they care about spoofing caller ID?

Yeah, this is my thought. The people spoofing their numbers are already violating the Do-Not-Call list in calling me anyway. They're not going to think twice about breaking this law. It's a nice sounding law that I'd fully support if it did any good. But it won't. Now if someone would invent a way for me to send a signal back over a connection to blow up the phone system of the telemarketers trying to call me, that would be awesome.

Seems to me... If you block your caller I'd, then they don't know who is calling, and have the option to take the call or not. Wouldn't that work for the mystery shopper deal? Sending a spoof Id is simply lying with the intent to deceive.

I'm fairly sure it wouldn't take long before it got out that "Private Caller" "Unavailable" or whatever message came up instead of a number meant the boss was checking up on you, which defeats the purpose of mystery shoppers.

At every retail job i've had where they use secret shoppers, there is no caller id at all unless it's an internal call from another department. You just know which line is ringing if it's an outside call.

Plus, plenty of real customers call in with questions but block their caller id by default. And not answering the customer's call (esp when it's a secret shopper) can be a disciplinary action.

That said, i have been that secret shopper when i worked at autozone. Management had to call other stores (usually out of our normal area so they wouldnt recognize our voice) to do the test. But we didnt do anything to mask caller id either. We called using the store phone. So if by some chance the receiving store had caller id, they'd see another autozone calling them. But honestly, in a busy retail store, who has time to look at caller id anyway?? We just want the damn phone to stop ringing so we can handle the customers right in front of us.